Not entirely unexpected, as this is recommended by many cybersecurity experts. So it's a logical choice. The password manager is purchased, rolled out, and people breathe a sigh of relief: the problem has been resolved.

Only: then, of course, you should use the password manager. I regularly sit at the table with organizations that have purchased a password manager. When I ask if the password manager is also being used, they nod no, shaking their heads. In fact, everyone experiences that purchasing a password manager does not lead to its use. But how do you solve that?

The password manager that no one uses

Data also confirms that password managers are not being used. In almost no organization, more than 5% of the employees actually use it. The rest stays true to old habits: weak passwords, password reuse, and jotting them down in notebooks or Excel lists.

IT people often say: “But didn't we inform employees about the new password manager?” We often hear from managers that learning and using a password manager shouldn't take time.

‍

But how can we expect a simple announcement to be enough to let everyone in the organization abandon old habits and become a successful user of a password manager? Especially when there are also older and less computer-savvy employees among them. This is not to their detriment, but they do need more support.

While the password manager is gathering dust, the number of cyber incidents rose caused by weak or reused passwords over the past year. The risks are increasing, so it is important that something is done about it.

The actual price of a password manager

Let's do the math. An organization of 200 employees pays around €5 per person per month for a password manager. That's €5 × 200 × 12 = €12,000 per year. Seems reasonable, right?

But if only 5% actually use it - and that's still optimistic - we're talking about 10 people. That €12,000 will then actually be spread over 10 active users. Suddenly, that password manager costs €1,200 per person per year, or €100 per active user per month.

That's what you pay for a tool that will catch dust with 190 out of 200 employees. That is no longer an investment, it is a waste of money that leads to false security. You think you've purchased a solution to cover one of the biggest cyber risks, even though that's not the case at all.

How are you going to explain this later to the management, who have struggled to convince you to invest €12,000 in safety?

A different approach does work

Fortunately, I also see organizations that take a different approach. They don't just roll out an app and hope it works out. They understand that technology only works if people also use it. They invest in guidance, training, and - yes - also in enforcement.

These organizations understand that buying a password manager is not the same as securing passwords. They see that there is a difference between implementing a tool and making a change in behavior. And the latter is much more difficult, but also much more important.

Why do we still tolerate this?

And that begs the question: why is this still accepted? By CISOs, IT departments, management, entrepreneurs. Why do we tolerate behavior that we know is unsafe? Why is there no enforcement, adjustment or intervention?

It's amazing that in 2025, we'll still allow our digital security to depend on mnemonics, yellow notes, and hope for luck.

It is time to put that passive attitude behind us. Invest not only in tooling, but also in behavioral change. Train your people and make it mandatory to use password managers. Because an unused password manager is nothing more than an expensive divestment.

We buy safety — and then leave it behind.